{ "type": "URL", "indicator": "https://208.68.237.5", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://208.68.237.5", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3875749052, "indicator": "https://208.68.237.5", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6621872309f454a3d9ca765e", "name": "Obligatory hash dump for files submitted. but not processed on OTX", "description": "Hashdump for the files OTX was not able to parse the past week.", "modified": "2024-04-23T14:28:28.676000", "created": "2024-04-18T20:48:35.875000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "file", "indicator", "pcap", "pcap processing", "ck id", "date", "mitre att", "expiration date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "malicious", "february", "middle", "exploit", "gameover", "contact" ], "references": [ "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/662182c7a7006bee9c063e29" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 114, "FileHash-SHA256": 427, "CVE": 2, "URL": 9, "email": 3, "hostname": 2 }, "indicator_count": 675, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66207a021131686c618c5239", "name": "Request for verification - Production Archlinux delivering malware spiked systemd library", "description": "I was mainly making this pulse to ask for a second pair of eyes. or as many pairs of eyes as possible to take a look to verify the VT and HA detentions. But with OTX parsing the data it seems to be open and shut. For posterity; Can anyone independently verify these? The files are on disk and actively being distributed via Arch's mirrors.", "modified": "2024-04-23T14:28:28.051000", "created": "2024-04-18T01:40:18.783000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "file", "indicator", "date", "pcap", "pcap processing", "threat level", "update", "sha256", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "malicious", "february", "middle", "exploit", "gameover", "contact", "please", "javascript", "bpf program", "bpf firewalling", "bpffallowmulti", "bpf device", "ck id", "a ansi", "path", "luks device", "uuid", "luks superblock", "luks", "json record", "pkcs", "weird" ], "references": [ "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661dec693ba6f76f1b0f856a", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/detection/f-ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03-1713373572", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/details", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/relations", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/behavior", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/behavior", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/relations", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/details", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661dac27782fbd32e806df1d", "https://hybrid-analysis.com/sample/2f775f70ce6fe5ad7ab68b60d7b84095a3423754ba8e92ed741f5c34594db066/662069f4da14ed794b09465f", "https://www.virustotal.com/graph/embed/g96ed65553dbb48529d42c037" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Gafgyt", "display_name": "Backdoor:Linux/Gafgyt", "target": "/malware/Backdoor:Linux/Gafgyt" }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" }, { "id": "Trojan:Linux/Gafgyt", "display_name": "Trojan:Linux/Gafgyt", "target": "/malware/Trojan:Linux/Gafgyt" }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "necrobot", "display_name": "necrobot", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "ELF:Mirai-AAU\\ [Trj]", "display_name": "ELF:Mirai-AAU\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5932143-0", "display_name": "Unix.Trojan.Mirai-5932143-0", "target": null }, { "id": "Unix.Malware.Agent-7006122-0", "display_name": "Unix.Malware.Agent-7006122-0", "target": null }, { "id": "Unix.Dropper.Mirai-7338044-0", "display_name": "Unix.Dropper.Mirai-7338044-0", "target": null }, { "id": "Unix.Malware.Agent-7005780-0", "display_name": "Unix.Malware.Agent-7005780-0", "target": null }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "CoinMiner", "display_name": "CoinMiner", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Py.Trojan.NecroBot-9868091-0", "display_name": "Py.Trojan.NecroBot-9868091-0", "target": null }, { "id": "ELF/Sakura, Gafygt", "display_name": "ELF/Sakura, Gafygt", "target": null }, { "id": "ELF:Agent-AWA\\ [Trj]", "display_name": "ELF:Agent-AWA\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 23, "CVE": 2, "URL": 9, "domain": 1, "email": 3, "hostname": 5 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/details", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/662182c7a7006bee9c063e29", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/detection/f-ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03-1713373572", "https://hybrid-analysis.com/sample/2f775f70ce6fe5ad7ab68b60d7b84095a3423754ba8e92ed741f5c34594db066/662069f4da14ed794b09465f", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/behavior", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/relations", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661dac27782fbd32e806df1d", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/behavior", "https://www.virustotal.com/graph/embed/g96ed65553dbb48529d42c037", "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661dec693ba6f76f1b0f856a", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/relations", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/details" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Unix.trojan.mirai-6976991-0", "Elf:mirai-aau\\ [trj]", "Backdoor:linux/mirai", "Unix.trojan.mirai-5607483-0", "Unix.trojan.mirai-5932143-0", "Mirai (elf)", "Necrobot", "Unix.malware.agent-7005780-0", "Elf:agent-awa\\ [trj]", "Unix.malware.agent-7006122-0", "Gafgyt", "Unix.dropper.mirai-7338044-0", "Ddos:linux/lightaidra", "Py.trojan.necrobot-9868091-0", "Elf/sakura, gafygt", "Mirai", "Backdoor:linux/gafgyt", "Coinminer", "Ddos:linux/gafgyt", "Trojan:linux/gafgyt", "Other:malware-gen\\ [trj]" ], "industries": [], "unique_indicators": 731 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/208.68.237.5", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6621872309f454a3d9ca765e", "name": "Obligatory hash dump for files submitted. but not processed on OTX", "description": "Hashdump for the files OTX was not able to parse the past week.", "modified": "2024-04-23T14:28:28.676000", "created": "2024-04-18T20:48:35.875000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "file", "indicator", "pcap", "pcap processing", "ck id", "date", "mitre att", "expiration date", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "malicious", "february", "middle", "exploit", "gameover", "contact" ], "references": [ "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/662182c7a7006bee9c063e29" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 114, "FileHash-SHA256": 427, "CVE": 2, "URL": 9, "email": 3, "hostname": 2 }, "indicator_count": 675, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66207a021131686c618c5239", "name": "Request for verification - Production Archlinux delivering malware spiked systemd library", "description": "I was mainly making this pulse to ask for a second pair of eyes. or as many pairs of eyes as possible to take a look to verify the VT and HA detentions. But with OTX parsing the data it seems to be open and shut. For posterity; Can anyone independently verify these? The files are on disk and actively being distributed via Arch's mirrors.", "modified": "2024-04-23T14:28:28.051000", "created": "2024-04-18T01:40:18.783000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "file", "indicator", "date", "pcap", "pcap processing", "threat level", "update", "sha256", "suspicious", "hybrid", "crypto", "close", "click", "april", "strings", "malicious", "february", "middle", "exploit", "gameover", "contact", "please", "javascript", "bpf program", "bpf firewalling", "bpffallowmulti", "bpf device", "ck id", "a ansi", "path", "luks device", "uuid", "luks superblock", "luks", "json record", "pkcs", "weird" ], "references": [ "https://hybrid-analysis.com/sample/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/661dec693ba6f76f1b0f856a", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/detection/f-ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03-1713373572", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/details", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/relations", "https://www.virustotal.com/gui/file/ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03/behavior", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/behavior", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/relations", "https://www.virustotal.com/gui/file/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/details", "https://hybrid-analysis.com/sample/b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169/661dac27782fbd32e806df1d", "https://hybrid-analysis.com/sample/2f775f70ce6fe5ad7ab68b60d7b84095a3423754ba8e92ed741f5c34594db066/662069f4da14ed794b09465f", "https://www.virustotal.com/graph/embed/g96ed65553dbb48529d42c037" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Gafgyt", "display_name": "Backdoor:Linux/Gafgyt", "target": "/malware/Backdoor:Linux/Gafgyt" }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" }, { "id": "Trojan:Linux/Gafgyt", "display_name": "Trojan:Linux/Gafgyt", "target": "/malware/Trojan:Linux/Gafgyt" }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "necrobot", "display_name": "necrobot", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai (ELF)", "display_name": "Mirai (ELF)", "target": null }, { "id": "ELF:Mirai-AAU\\ [Trj]", "display_name": "ELF:Mirai-AAU\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5607483-0", "display_name": "Unix.Trojan.Mirai-5607483-0", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Unix.Trojan.Mirai-5932143-0", "display_name": "Unix.Trojan.Mirai-5932143-0", "target": null }, { "id": "Unix.Malware.Agent-7006122-0", "display_name": "Unix.Malware.Agent-7006122-0", "target": null }, { "id": "Unix.Dropper.Mirai-7338044-0", "display_name": "Unix.Dropper.Mirai-7338044-0", "target": null }, { "id": "Unix.Malware.Agent-7005780-0", "display_name": "Unix.Malware.Agent-7005780-0", "target": null }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "CoinMiner", "display_name": "CoinMiner", "target": null }, { "id": "DDoS:Linux/Lightaidra", "display_name": "DDoS:Linux/Lightaidra", "target": "/malware/DDoS:Linux/Lightaidra" }, { "id": "Py.Trojan.NecroBot-9868091-0", "display_name": "Py.Trojan.NecroBot-9868091-0", "target": null }, { "id": "ELF/Sakura, Gafygt", "display_name": "ELF/Sakura, Gafygt", "target": null }, { "id": "ELF:Agent-AWA\\ [Trj]", "display_name": "ELF:Agent-AWA\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 23, "CVE": 2, "URL": 9, "domain": 1, "email": 3, "hostname": 5 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://208.68.237.5", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://208.68.237.5", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780236473.266958 }